Cybercriminals are increasingly exploiting browser extensions to bypass security controls, putting high-value business accounts at risk. A recent example, the CL Suite by @CLMasters Chrome extension, targets Meta Business Suite and Facebook Business Manager, quietly stealing two-factor authentication (2FA) codes and sensitive analytics data.
For CISOs, security engineers, and IT managers, understanding the mechanics of such threats is critical. In this article, you’ll learn how this extension works, the risks it poses, and best practices to protect your business accounts.
What is the CL Suite Chrome Extension?
The CL Suite extension claims to be a productivity tool for Meta Business users. Marketed features include:
- Extracting people data
- Analyzing Business Managers
- Removing verification popups
- Generating 2FA codes
However, technical analysis from Socket AI Scanner reveals that the extension behaves like an infostealer, harvesting authentication secrets and business intelligence from admin sessions.
How the Extension Exploits 2FA
- Users generate 2FA codes through the extension.
- The extension captures the TOTP seed and the current 6-digit 2FA code.
- This data, along with usernames and emails, is sent to attacker-controlled infrastructure at
getauth[.]pro, with optional forwarding to Telegram. - With the seed, attackers can generate valid 2FA codes indefinitely, enabling account takeover once passwords or recovery channels are compromised.
Business Manager Data Targeted
The extension also aggressively harvests Meta Business Manager information, including:
- Contact details of all users (names, emails, roles, access levels)
- Business Manager IDs, linked ad accounts, pages, and billing configurations
- Complete mapping of business assets and ad spend
This data can fuel fraud campaigns, ad spend hijacking, and targeted phishing attacks.
Real-World Impact
Even with a limited install base, CL Suite provides attackers with enough visibility to:
- Identify high-value targets
- Plan follow-on fraud or account-takeover campaigns
- Exploit weaknesses in enterprise admin browsers
Organizations relying on Facebook Business or Meta Business Suite could face financial loss, reputational damage, and compliance risks if such extensions go unchecked.
Common Mistakes Organizations Make
- Blind trust in browser extensions – assuming tools in official stores are safe.
- Using in-browser 2FA generators from unverified extensions.
- Lack of audit on admin browser environments, which increases exposure to malicious plugins.
- Ignoring signals from threat intelligence feeds and security monitoring.
Best Practices to Mitigate Browser Extension Threats
Immediate Actions
- Remove CL Suite and similar extensions from all admin browsers.
- Re-enroll 2FA with fresh secrets for all affected accounts.
- Audit Business Manager roles and access levels to ensure no unauthorized changes.
- Monitor outbound traffic to suspicious domains like
getauth[.]pro.
Long-Term Strategies
- Enforce browser extension allow-lists for all admin users.
- Educate employees about phishing and malicious browser extensions.
- Integrate browser security monitoring into your SOC operations.
- Regularly review compliance standards (NIST, ISO 27001) for endpoint security controls.
Tools and Frameworks
To strengthen defenses, organizations should leverage:
- MITRE ATT&CK: Map potential extension behaviors to tactics like Credential Access (T1555) and Data from Local System (T1005).
- NIST Cybersecurity Framework: Guide risk assessment and remediation for endpoint threats.
- Enterprise Browser Policies: Configure Chrome or Edge to restrict unverified extensions.
These frameworks help detect, prevent, and respond to browser-based malware efficiently.
Expert Insights
- Risk Impact: Loss of 2FA seeds compromises multi-layered security protections, enabling attackers to bypass zero trust controls.
- Compliance Relevance: Exposure of user data may violate GDPR, CCPA, or industry-specific regulations if sensitive PII is exfiltrated.
- Security Recommendation: Only allow vetted extensions, enforce least privilege access, and treat in-browser authentication tools with caution.
FAQs
Q1: How does the CL Suite extension steal 2FA codes?
A1: It captures the TOTP seed and current 6-digit code, then sends them to attacker infrastructure, allowing indefinite 2FA code generation.
Q2: Is the extension still available in the Chrome Web Store?
A2: Yes, it remains listed, but organizations should remove it immediately from all browsers.
Q3: Can attackers access Facebook Business Manager analytics with this extension?
A3: Yes, the extension exfiltrates account contacts, ad accounts, connected pages, and billing information.
Q4: How can enterprises prevent similar threats?
A4: Enforce extension allow-lists, audit admin browsers, re-enroll 2FA secrets, and monitor traffic to suspicious domains.
Q5: What frameworks help mitigate these risks?
A5: MITRE ATT&CK for threat mapping, NIST CSF for endpoint risk management, and enterprise browser policies to restrict extensions.
Conclusion
The CL Suite by @CLMasters Chrome extension highlights the rising danger of malicious browser extensions targeting high-value business accounts. Organizations must:
- Audit and remove risky extensions
- Re-enroll 2FA secrets
- Monitor sensitive account activity
- Enforce strict browser security policies
Staying proactive not only protects critical business assets but strengthens your overall cyber resilience.
Call to Action: Assess your browser security posture today and ensure all admin tools are vetted to prevent account takeover threats.
